Beating a dead horse, or freeradius 2.1.1 and active directory

Alan DeKok aland at deployingradius.com
Wed Dec 3 19:03:12 CET 2008


Ben Little wrote:
> I'm attempting to configure freeradius to be used as a AAA mechanism for
> a bunch of cisco routers and switches, I have freeradius working
> correctly with local users however it appears that it is completely
> ignoring the mschap configuration that I've applied, I'm not sure why...
> 
> when attempting to perform a radtest locally I get the following:

  The radtest packet doesn't include MS-CHAP.  That's why it's not doing
MS-CHAP.

> It appears that the mschap is returning noop and not even attempting to
> authenticate the user, here's what I have done so far...

  Yes.  My web site has instructions on active directory integration.
It includes instructions on testing with radtest.

> no changes to radiusd.conf (I have read several times that if I touch 
> this file I get smacked like a red headed step child)

  Because too many people make edits without taking the time to
understand it.

> changes made to /modules/mschap
> 
>  mschap {
>         #use_mppe = no
>  	#require_encryption = yes
>         #require_strong = yes
>         with_ntdomain_hack = yes 
> 	ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
>                 --domain=%{mschap:NT-Domain}
>                 --username=%{mschap:User-Name}
>                 --challenge=%{mschap:Challenge:-00}
>                 --nt-response=%{mschap:NT-Response:-00}"

  That won't work (if it's *exactly* like that).  You will need to put
all of the "ntlm_auth" text on one line, or escape it via "\".  See
other examples, such as the SQL configurations.

> not really any changes to /sites-enabled/default I've tried adding
> ntlm_auth to the authenticate section but it doesn't seem to like
> that...here's the output from that.
...
> I have read the "how to" on deployingradius.com however, this "how to"
> appears to be written for a much older version of freeradius since many
> of the attributes mentioned are no longer contained in radiusd.conf,

  ?  It's up to date with the most recent version of the server.  Can
you describe what's wrong about the document?

  Alan DeKok.



More information about the Freeradius-Users mailing list